Access & Roles Flashcards
What is Authentication?
- Demonstration that you are who you say you are
- The user must prove his/her identity to the server by providing a username and password
What is Authorization?
- Now that the user is trusted, this determines what you can do as a result
- Server determines if a client has access to utilize a resource or perform a specific job/task
What are Authentication Methods available in Splunk?
- Native Splunk Accounts
- LDAP
- SAML
- Scripted Authentication
If there are SSO or SAML problems, if they are configured, how do login?
Add to the login URI:
?login_type=splunk
Where are Splunk’s internal Authentication placed?
$SPLUNK_HOME/etc/passwd
What Authentication method always takes precedence when multiple methods are configured?
Splunk “internal”
What is the most common authentication method?
LDAP with AD
In LDAP, what is a DC?
Domain Component
ex. dc=splunk, dc=com
In LDAP, what is a OU?
Organizational Unit
ex. ou=people, dc=splunk, dc=com
In LDAP, what is a CN?
Common Name
ex.cn: Peter Gibbons
What can you ask for from a system administrator to help with configuring Splunk with LDAP?
LDAP Data Interchange Format(LDIF)
This will allow you to review all of the attribute/value pairs associated with each and more identify things such as the “Base DN for users” and the “Base DN for groups”
How does authorization work in Splunk?
- In order for a user to login they must have a User Account and A ROLE assigned.
- Cannot assign Access/Capabilities to a user. They must be assigned to Roles.
- Roles can only Assign Capabilites, Not Remove them.
- Rest API Data Access Query
https: //host:port/services/authorization/roles/admin - To faithfully restrict access to data it must be in its own index, and restricted from there. Search time obfuscation can be subverted
- Create separate indexes for data with diffferent classifications, and User access levels
- Default User Role has access to all Non-Internal indexes
Can Splunk use multiple LDAP servers?
Yes, and as soon as Splunk locates a user on the server, it stops searching.
Search order is determined by the Connection order field..
If the user also has credentials on a server later in the search order, those credentials are ignored.
What are some LDAP tools to help you?
GUI Apps:
- Apache Directory Studio
- Softerra LDAP Vrowser
- ASDI Edit
Linux CLI:
-ldapsearch
If SSO is configured, which does Splunk handle, Authentication or Authorization?
Authorization
What is a user?
A persona (individual or shared)
Not always a single -person, might be a shared credential like the base admin user
What is Role?
a collection of permissions and capabilities
A role is a handle for linking together access rights and capabilities
Cannot assign access/capabiltiies to a user. These must be assigned to roles. If a particular individual needs a specific capability or access, then a role must be created for that user, making it a role of one.
What are Capabilities?
user actions associated with roles
Capabilities define what the members of a role can do.
Notable examples include the ability to run a real time search.
Applications can extend the base capability.
Can you disable capabilities inherited from parent roles?
No
Roles define Search limits how?
How wide a search (time) can be used
How many concurrent searches running
How much disk space can be consumed by search artifacts.
What is role inheritance?
As a rule, members of multiple roles inherit properties from the role with the broadest permissions.
How do users inherit search filter restrictions?
The filters are all combined and thus the restrictions for each are applied.
How do users inherit allowed indexes?
The user is given the highest level of access granted to any role to which they are assigned.
How do users inherit capabilities?
The user is given the highest level of abilities granted to any role to which they are assigned.
What is the srchIndexesDefault setting?
A list of indexes to search when no index is specified.
What is the srchIndexesAllowed setting?
A list of indexes a role is allowed to search.
